Implement policies in Phragment

Summary: This implements support for enforcing and setting policies in Phragment.

Test Plan: Set policies and ensured they were enforced successfully.

Reviewers: epriestley, #blessed_reviewers

Reviewed By: epriestley

CC: Korvin, epriestley, aran

Maniphest Tasks: T4205

Differential Revision: https://secure.phabricator.com/D7751

Author: hach-que

resources/sql/patches/20131211.phragmentedges.sql

@@ -0,0 +1,15 @@
+CREATE TABLE {$NAMESPACE}_phragment.edge (
+  src VARCHAR(64) NOT NULL COLLATE utf8_bin,
+  type VARCHAR(64) NOT NULL COLLATE utf8_bin,
+  dst VARCHAR(64) NOT NULL COLLATE utf8_bin,
+  dateCreated INT UNSIGNED NOT NULL,
+  seq INT UNSIGNED NOT NULL,
+  dataID INT UNSIGNED,
+  PRIMARY KEY (src, type, dst),
+  KEY (src, type, dateCreated, seq)
+) ENGINE=InnoDB, COLLATE utf8_general_ci;
+
+CREATE TABLE {$NAMESPACE}_phragment.edgedata (
+  id INT UNSIGNED NOT NULL PRIMARY KEY AUTO_INCREMENT,
+  data LONGTEXT NOT NULL COLLATE utf8_bin
+) ENGINE=InnoDB, COLLATE utf8_general_ci;

src/__phutil_library_map__.php

@@ -2180,6 +2180,7 @@
     'PhortuneTestPaymentProvider' => 'applications/phortune/provider/PhortuneTestPaymentProvider.php',
     'PhortuneWePayPaymentProvider' => 'applications/phortune/provider/PhortuneWePayPaymentProvider.php',
     'PhragmentBrowseController' => 'applications/phragment/controller/PhragmentBrowseController.php',
+    'PhragmentCapabilityCanCreate' => 'applications/phragment/capability/PhragmentCapabilityCanCreate.php',
     'PhragmentController' => 'applications/phragment/controller/PhragmentController.php',
     'PhragmentCreateController' => 'applications/phragment/controller/PhragmentCreateController.php',
     'PhragmentDAO' => 'applications/phragment/storage/PhragmentDAO.php',
@@ -2193,6 +2194,7 @@
     'PhragmentPHIDTypeSnapshot' => 'applications/phragment/phid/PhragmentPHIDTypeSnapshot.php',
     'PhragmentPatchController' => 'applications/phragment/controller/PhragmentPatchController.php',
     'PhragmentPatchUtil' => 'applications/phragment/util/PhragmentPatchUtil.php',
+    'PhragmentPolicyController' => 'applications/phragment/controller/PhragmentPolicyController.php',
     'PhragmentRevertController' => 'applications/phragment/controller/PhragmentRevertController.php',
     'PhragmentSnapshot' => 'applications/phragment/storage/PhragmentSnapshot.php',
     'PhragmentSnapshotChild' => 'applications/phragment/storage/PhragmentSnapshotChild.php',
@@ -4790,6 +4792,7 @@
     'PhortuneTestPaymentProvider' => 'PhortunePaymentProvider',
     'PhortuneWePayPaymentProvider' => 'PhortunePaymentProvider',
     'PhragmentBrowseController' => 'PhragmentController',
+    'PhragmentCapabilityCanCreate' => 'PhabricatorPolicyCapability',
     'PhragmentController' => 'PhabricatorController',
     'PhragmentCreateController' => 'PhragmentController',
     'PhragmentDAO' => 'PhabricatorLiskDAO',
@@ -4811,6 +4814,7 @@
     'PhragmentPHIDTypeSnapshot' => 'PhabricatorPHIDType',
     'PhragmentPatchController' => 'PhragmentController',
     'PhragmentPatchUtil' => 'Phobject',
+    'PhragmentPolicyController' => 'PhragmentController',
     'PhragmentRevertController' => 'PhragmentController',
     'PhragmentSnapshot' =>
     array(

src/applications/files/application/PhabricatorApplicationFiles.php

@@ -61,6 +61,7 @@ public function getRoutes() {
         'xform/(?P<transform>[^/]+)/(?P<phid>[^/]+)/(?P<key>[^/]+)/'
           => 'PhabricatorFileTransformController',
         'uploaddialog/' => 'PhabricatorFileUploadDialogController',
+        'download/(?P<phid>[^/]+)/' => 'PhabricatorFileDialogController',
       ),
     );
   }

src/applications/files/controller/PhabricatorFileDataController.php

@@ -66,12 +66,12 @@ public function processRequest() {
     if ($is_viewable && !$force_download) {
       $response->setMimeType($file->getViewableMimeType());
     } else {
-      if (!$request->isHTTPPost()) {
-        // NOTE: Require POST to download files. We'd rather go full-bore and
-        // do a real CSRF check, but can't currently authenticate users on the
-        // file domain. This should blunt any attacks based on iframes, script
-        // tags, applet tags, etc., at least. Send the user to the "info" page
-        // if they're using some other method.
+      if (!$request->isHTTPPost() && !$alt_domain) {
+        // NOTE: Require POST to download files from the primary domain. We'd
+        // rather go full-bore and do a real CSRF check, but can't currently
+        // authenticate users on the file domain. This should blunt any
+        // attacks based on iframes, script tags, applet tags, etc., at least.
+        // Send the user to the "info" page if they're using some other method.
         return id(new AphrontRedirectResponse())
           ->setURI(PhabricatorEnv::getProductionURI($file->getBestURI()));
       }

src/applications/phragment/application/PhabricatorApplicationPhragment.php

@@ -37,6 +37,7 @@ public function getRoutes() {
         'browse/(?P<dblob>.*)' => 'PhragmentBrowseController',
         'create/(?P<dblob>.*)' => 'PhragmentCreateController',
         'update/(?P<dblob>.*)' => 'PhragmentUpdateController',
+        'policy/(?P<dblob>.*)' => 'PhragmentPolicyController',
         'history/(?P<dblob>.*)' => 'PhragmentHistoryController',
         'zip/(?P<dblob>.*)' => 'PhragmentZIPController',
         'zip@(?P<snapshot>[^/]+)/(?P<dblob>.*)' => 'PhragmentZIPController',
@@ -56,5 +57,12 @@ public function getRoutes() {
     );
   }
 
+  protected function getCustomCapabilities() {
+    return array(
+      PhragmentCapabilityCanCreate::CAPABILITY => array(
+      ),
+    );
+  }
+
 }
 

src/applications/phragment/capability/PhragmentCapabilityCanCreate.php

@@ -0,0 +1,20 @@
+<?php
+
+final class PhragmentCapabilityCanCreate
+  extends PhabricatorPolicyCapability {
+
+  const CAPABILITY = 'phragment.create';
+
+  public function getCapabilityKey() {
+    return self::CAPABILITY;
+  }
+
+  public function getCapabilityName() {
+    return pht('Can Create Fragments');
+  }
+
+  public function describeCapabilityRejection() {
+    return pht('You do not have permission to create fragments.');
+  }
+
+}

src/applications/phragment/controller/PhragmentBrowseController.php

@@ -4,6 +4,10 @@ final class PhragmentBrowseController extends PhragmentController {
 
   private $dblob;
 
+  public function shouldAllowPublic() {
+    return true;
+  }
+
   public function willProcessRequest(array $data) {
     $this->dblob = idx($data, "dblob", "");
   }
@@ -24,11 +28,14 @@ public function processRequest() {
     }
 
     $crumbs = $this->buildApplicationCrumbsWithPath($parents);
-    $crumbs->addAction(
-      id(new PHUIListItemView())
-        ->setName(pht('Create Fragment'))
-        ->setHref($this->getApplicationURI('/create/'.$path))
-        ->setIcon('create'));
+    if ($this->hasApplicationCapability(
+      PhragmentCapabilityCanCreate::CAPABILITY)) {
+      $crumbs->addAction(
+        id(new PHUIListItemView())
+          ->setName(pht('Create Fragment'))
+          ->setHref($this->getApplicationURI('/create/'.$path))
+          ->setIcon('create'));
+    }
 
     $current_box = $this->createCurrentFragmentView($current, false);
 
@@ -79,6 +86,7 @@ public function processRequest() {
     return $this->buildApplicationPage(
       array(
         $crumbs,
+        $this->renderConfigurationWarningIfRequired(),
         $current_box,
         $list),
       array(

src/applications/phragment/controller/PhragmentController.php

@@ -84,7 +84,7 @@ protected function createCurrentFragmentView($fragment, $is_history_view) {
         ->withPHIDs(array($fragment->getLatestVersion()->getFilePHID()))
         ->executeOne();
       if ($file !== null) {
-        $file_uri = $file->getBestURI();
+        $file_uri = $file->getDownloadURI();
       }
     }
 
@@ -93,37 +93,53 @@ protected function createCurrentFragmentView($fragment, $is_history_view) {
       ->setPolicyObject($fragment)
       ->setUser($viewer);
 
+    $can_edit = PhabricatorPolicyFilter::hasCapability(
+      $viewer,
+      $fragment,
+      PhabricatorPolicyCapability::CAN_EDIT);
+
+    $zip_uri = $this->getApplicationURI("zip/".$fragment->getPath());
+
     $actions = id(new PhabricatorActionListView())
       ->setUser($viewer)
       ->setObject($fragment)
       ->setObjectURI($fragment->getURI());
     $actions->addAction(
       id(new PhabricatorActionView())
         ->setName(pht('Download Fragment'))
-        ->setHref($file_uri)
-        ->setDisabled($file === null)
+        ->setHref($this->isCorrectlyConfigured() ? $file_uri : null)
+        ->setDisabled($file === null || !$this->isCorrectlyConfigured())
         ->setIcon('download'));
     $actions->addAction(
       id(new PhabricatorActionView())
         ->setName(pht('Download Contents as ZIP'))
-        ->setHref($this->getApplicationURI("zip/".$fragment->getPath()))
-        ->setDisabled(false) // TODO: Policy
+        ->setHref($this->isCorrectlyConfigured() ? $zip_uri : null)
+        ->setDisabled(!$this->isCorrectlyConfigured())
         ->setIcon('zip'));
     if (!$fragment->isDirectory()) {
       $actions->addAction(
         id(new PhabricatorActionView())
           ->setName(pht('Update Fragment'))
           ->setHref($this->getApplicationURI("update/".$fragment->getPath()))
-          ->setDisabled(false) // TODO: Policy
+          ->setDisabled(!$can_edit)
+          ->setWorkflow(!$can_edit)
           ->setIcon('edit'));
     } else {
       $actions->addAction(
         id(new PhabricatorActionView())
           ->setName(pht('Convert to File'))
           ->setHref($this->getApplicationURI("update/".$fragment->getPath()))
-          ->setDisabled(false) // TODO: Policy
+          ->setDisabled(!$can_edit)
+          ->setWorkflow(!$can_edit)
           ->setIcon('edit'));
     }
+    $actions->addAction(
+      id(new PhabricatorActionView())
+        ->setName(pht('Set Fragment Policies'))
+        ->setHref($this->getApplicationURI("policy/".$fragment->getPath()))
+        ->setDisabled(!$can_edit)
+        ->setWorkflow(!$can_edit)
+        ->setIcon('edit'));
     if ($is_history_view) {
       $actions->addAction(
         id(new PhabricatorActionView())
@@ -142,15 +158,16 @@ protected function createCurrentFragmentView($fragment, $is_history_view) {
         ->setName(pht('Create Snapshot'))
         ->setHref($this->getApplicationURI(
           "snapshot/create/".$fragment->getPath()))
-        ->setDisabled(false) // TODO: Policy
+        ->setDisabled(!$can_edit)
+        ->setWorkflow(!$can_edit)
         ->setIcon('snapshot'));
     $actions->addAction(
       id(new PhabricatorActionView())
         ->setName(pht('Promote Snapshot to Here'))
         ->setHref($this->getApplicationURI(
           "snapshot/promote/latest/".$fragment->getPath()))
         ->setWorkflow(true)
-        ->setDisabled(false) // TODO: Policy
+        ->setDisabled(!$can_edit)
         ->setIcon('promote'));
 
     $properties = id(new PHUIPropertyListView())
@@ -188,4 +205,33 @@ protected function createCurrentFragmentView($fragment, $is_history_view) {
       ->addPropertyList($properties);
   }
 
+  function renderConfigurationWarningIfRequired() {
+    $alt = PhabricatorEnv::getEnvConfig("security.alternate-file-domain");
+    if ($alt === null) {
+      return id(new AphrontErrorView())
+        ->setTitle(pht('security.alternate-file-domain must be configured!'))
+        ->setSeverity(AphrontErrorView::SEVERITY_ERROR)
+        ->appendChild(phutil_tag('p', array(), pht(
+          'Because Phragment generates files (such as ZIP archives and '.
+          'patches) as they are requested, it requires that you configure '.
+          'the `security.alterate-file-domain` option.  This option on it\'s '.
+          'own will also provide additional security when serving files '.
+          'across Phabricator.')));
+    }
+    return null;
+  }
+
+  /**
+   * We use this to disable the download links if the alternate domain is
+   * not configured correctly.  Although the download links will mostly work
+   * for logged in users without an alternate domain, the behaviour is
+   * reasonably non-consistent and will deny public users, even if policies
+   * are configured otherwise (because the Files app does not support showing
+   * the info page to viewers who are not logged in).
+   */
+  function isCorrectlyConfigured() {
+    $alt = PhabricatorEnv::getEnvConfig("security.alternate-file-domain");
+    return $alt !== null;
+  }
+
 }

src/applications/phragment/controller/PhragmentCreateController.php

@@ -123,6 +123,7 @@ public function processRequest() {
     return $this->buildApplicationPage(
       array(
         $crumbs,
+        $this->renderConfigurationWarningIfRequired(),
         $box),
       array(
         'title' => pht('Create Fragment'),

src/applications/phragment/controller/PhragmentHistoryController.php

@@ -4,6 +4,10 @@ final class PhragmentHistoryController extends PhragmentController {
 
   private $dblob;
 
+  public function shouldAllowPublic() {
+    return true;
+  }
+
   public function willProcessRequest(array $data) {
     $this->dblob = idx($data, "dblob", "");
   }
@@ -21,11 +25,14 @@ public function processRequest() {
     $path = $current->getPath();
 
     $crumbs = $this->buildApplicationCrumbsWithPath($parents);
-    $crumbs->addAction(
-      id(new PHUIListItemView())
-        ->setName(pht('Create Fragment'))
-        ->setHref($this->getApplicationURI('/create/'.$path))
-        ->setIcon('create'));
+    if ($this->hasApplicationCapability(
+      PhragmentCapabilityCanCreate::CAPABILITY)) {
+      $crumbs->addAction(
+        id(new PHUIListItemView())
+          ->setName(pht('Create Fragment'))
+          ->setHref($this->getApplicationURI('/create/'.$path))
+          ->setIcon('create'));
+    }
 
     $current_box = $this->createCurrentFragmentView($current, true);
 
@@ -44,6 +51,11 @@ public function processRequest() {
       ->execute();
     $files = mpull($files, null, 'getPHID');
 
+    $can_edit = PhabricatorPolicyFilter::hasCapability(
+      $viewer,
+      $current,
+      PhabricatorPolicyCapability::CAN_EDIT);
+
     $first = true;
     foreach ($versions as $version) {
       $item = id(new PHUIObjectItemView());
@@ -58,7 +70,7 @@ public function processRequest() {
         $item->addAttribute('Deletion');
       }
 
-      if (!$first) {
+      if (!$first && $can_edit) {
         $item->addAction(id(new PHUIListItemView())
           ->setIcon('undo')
           ->setRenderNameAsTooltip(true)
@@ -71,13 +83,15 @@ public function processRequest() {
       $disabled = !isset($files[$version->getFilePHID()]);
       $action = id(new PHUIListItemView())
         ->setIcon('download')
-        ->setDisabled($disabled)
+        ->setDisabled($disabled || !$this->isCorrectlyConfigured())
         ->setRenderNameAsTooltip(true)
         ->setName(pht("Download"));
-      if (!$disabled) {
-        $action->setHref($files[$version->getFilePHID()]->getBestURI());
+      if (!$disabled && $this->isCorrectlyConfigured()) {
+        $action->setHref($files[$version->getFilePHID()]
+          ->getDownloadURI($version->getURI()));
       }
       $item->addAction($action);
+
       $list->addItem($item);
 
       $first = false;
@@ -86,6 +100,7 @@ public function processRequest() {
     return $this->buildApplicationPage(
       array(
         $crumbs,
+        $this->renderConfigurationWarningIfRequired(),
         $current_box,
         $list),
       array(